ssh-audit flagged some weak hashing algorithm which should be disabled #138

graysky2 · 2021-09-08T08:53:58Z

Using ssh-audit on dropbear 2020.81 gave some recommendations for hardening:

key exchange algorithms to remove

(kex) diffie-hellman-group14-sha1

host-key algorithms

(key) ssh-rsa (2048-bit)

message authentication code algorithms

(mac) hmac-sha1
(mac) hmac-sha2-256

With openssh, these can be toggled in the config, but I understand they need to be removed in the source for dropbear. What do you think about the report below?

# general
(gen) banner: SSH-2.0-dropbear
(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
(gen) compression: disabled

# key exchange algorithms
(kex) curve25519-sha256              -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
(kex) curve25519-sha256@libssh.org   -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
(kex) diffie-hellman-group14-sha256  -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group14-sha1    -- [warn] using weak hashing algorithm
                                     `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
(kex) kexguess2@matt.ucc.asn.au      -- [info] available since Dropbear SSH 2013.57

# host-key algorithms
(key) ssh-ed25519                    -- [info] available since OpenSSH 6.5
(key) rsa-sha2-256 (2048-bit)        -- [info] available since OpenSSH 7.2
(key) ssh-rsa (2048-bit)             -- [fail] using weak hashing algorithm
                                     `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
                                     `- [info] a future deprecation notice has been issued in OpenSSH 8.2: https://www.openssh.com/txt/release-8.2

# encryption algorithms (ciphers)
(enc) chacha20-poly1305@openssh.com  -- [info] available since OpenSSH 6.5
                                     `- [info] default cipher since OpenSSH 6.9.
(enc) aes128-ctr                     -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes256-ctr                     -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52

# message authentication code algorithms
(mac) hmac-sha1                      -- [warn] using encrypt-and-MAC mode
                                     `- [warn] using weak hashing algorithm
                                     `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
(mac) hmac-sha2-256                  -- [warn] using encrypt-and-MAC mode
                                     `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56

# fingerprints
(fin) ssh-ed25519: SHA256:YyovHVKyDg7iB9XhdHvKIIFxCbExKgI97M3sFcdtVcA
(fin) ssh-rsa: SHA256:n6d1G3um65lzJUvWp2pLkHwjAdyndx9Wksxd+pDkPgA

# algorithm recommendations 
(rec) -ssh-rsa                       -- key algorithm to remove 
(rec) -diffie-hellman-group14-sha1   -- kex algorithm to remove 
(rec) -hmac-sha1                     -- mac algorithm to remove 
(rec) -hmac-sha2-256                 -- mac algorithm to remove 

# additional info
(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>

The text was updated successfully, but these errors were encountered:

mkj · 2021-09-08T13:09:42Z

diffie-hellman-group14-sha1 and hmac-sha1 could probably be disabled imminently. Direct replacements diffie-hellman-group14-sha256 and hmac-sha2-256 were added in Dropbear 2018.76 and 2013.56 respectively, and ECDH methods were earlier too.

The bigger question would be when to disable ssh-rsa - Dropbear only added support for rsa-sha2 a year ago so it might be a bit premature to remove since people are still using older software. They are not long lived signatures, only during KEX.

To avoid a common confusion - once rsa-sha algorithm is removed, existing ssh-rsa hostkeys and authentication keys (authorized_keys) will still work. The client and server just use a different signature format ssh-sha2- internally. (ssh-agents might need upgrading too).

I don't think hmac-sha2-256 should be removed, Dropbear doesn't implement hmac-sha2-256-etm@openssh.com which would be the higher preference. Since 2020.79 Dropbear's first preference cipher is chacha20-poly1305@openssh.com so the mac algorithm doesn't matter in that case.

graysky2 · 2021-12-01T11:38:25Z

This fell of my RADAR... is it something you need do or are these command line switches I can try to disable?

mkj · 2022-07-31T05:48:26Z

The others were dropped,ssh-rsa will be retired in a future release.

mkj · 2022-11-07T14:51:30Z

I'll probably disable it by default in a release next year. In the interim it can be disabled at build time by putting #define DROPBEAR_RSA_SHA1 0 in localoptions.h

…

On 2022-11-07 6:09 pm, cirdecH wrote: Hello @mkj [1], to summarize this issue. To have the ssh-rsa warning from ssh-audit removed, we don't have a config to edit. We should wait for a future release ? -- Reply to this email directly, view it on GitHub [2], or unsubscribe [3]. You are receiving this because you were mentioned.Message ID: ***@***.***>

graysky2 · 2022-11-07T17:24:19Z

@mkj - what are your thoughts on the other algorithms called out in the ssh-audit report?

# key exchange algorithms
(kex) diffie-hellman-group14-sha1    -- [warn] using weak hashing algorithm

# message authentication code algorithms
(mac) hmac-sha1                      -- [warn] using encrypt-and-MAC mode
                                     `- [warn] using weak hashing algorithm
                                     `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
(mac) hmac-sha2-256                  -- [warn] using encrypt-and-MAC mode
                                     `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
# algorithm recommendations 
(rec) -diffie-hellman-group14-sha1   -- kex algorithm to remove 
(rec) -hmac-sha1                     -- mac algorithm to remove 
(rec) -hmac-sha2-256                 -- mac algorithm to remove

mkj · 2022-11-08T08:49:59Z

diffie-hellman-group14-sha1 and hmac-sha1 should eventually be disabled by default, probably at the same time as ssh-rsa with sha1.

I'm not intending to remove hmac-sha2-256. From what I can tell ssh-audit flags it because it has problems with CBC ciphers, but Dropbear disables those. chacha20-poly1305@openssh.com is a higher priority too.

graysky2 · 2022-11-08T10:40:48Z

I used the same trick to disable those successfully. Thanks!

#define DROPBEAR_RSA_SHA1 0
#define DROPBEAR_DH_GROUP14_SHA1 0
#define DROPBEAR_SHA1_HMAC 0

ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me>

ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch>

hmac-sha1 and diffie-hellman-group14-sha1 are weak algorithms. A future deprecation notice of ssh-rsa (2048-bit) has been issued. [1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these two until this is made to be the default in the next release of dropbear next year. [2] 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>

ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch>

hmac-sha1 and diffie-hellman-group14-sha1 are weak algorithms. A future deprecation notice of ssh-rsa (2048-bit) has been issued. [1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these two until this is made to be the default in the next release of dropbear next year. [2] 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>

ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch>

hmac-sha1 and diffie-hellman-group14-sha1 are weak algorithms. A future deprecation notice of ssh-rsa (2048-bit) has been issued. [1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these two until this is made to be the default in the next release of dropbear next year. [2] 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>

Signed-off-by: bitthief <bitthief@protonmail.ch> kernel: add ASN1 encoder module to keys-trusted The ASN1 encoder module is required on kernel 5.15, fixes build issues. Signed-off-by: bitthief <bitthief@protonmail.ch> mac80211: fix parameter reading of tweak for tx bursting when using VHT Reference: https: //github.com/openwrt/pull/10395 Signed-off-by: bitthief <bitthief@protonmail.ch> dnsmasq: honor IPv6 address MAC assign Signed-off-by: bitthief <bitthief@protonmail.ch> dnsmasq: fix resolv.conf for round-robin DNS configuration Reference: https: //github.com/openwrt/pull/10279 Signed-off-by: bitthief <bitthief@protonmail.ch> dropbear: disable three weak kex/mac algorithms ssh-rsa (2048-bit), hmac-sha1, and diffie-hellman-group14-sha1 are weak algorithms. In the case of sha-rsa (2048-bit), a future deprecation notice has been issued.[1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these three until this is made to be the default in the next release of dropbear next year.[2] This PR disables these three at build time until then. 1. https://www.openssh.com/txt/release-8.2 2. mkj/dropbear#138 Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: ipq807x: refactor packet steering init Replace a standalone init.d script with a platform implementation as supported by netifd. This avoids a race between netifd and target specific setups. Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: ipq807x: add smp_affinity init script Signed-off-by: bitthief <bitthief@protonmail.ch> generic, qualcommax: config: crypto, ktls, netfilter, misc. Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: config: enable preemptive/RT kernel build Signed-off-by: bitthief <bitthief@protonmail.ch> package: fullconenat Reference: https: //github.com/coolsnowwolf/lede https: //github.com/Chion82/netfilter-full-cone-nat Signed-off-by: bitthief <bitthief@protonmail.ch> kernel: sysctl: update nf_ct settings for fullcone nat Reference: https: //github.com/coolsnowwolf/lede/commit/58692d5c98169249eae7b8cb27b45ce6ecac1d92 Signed-off-by: bitthief <bitthief@protonmail.ch> package: nft-fullcone Add firewall4 and nftables support for fullcone NAT. Reference: https: //github.com/fullcone-nat-nftables/nft-fullcone https: //github.com/fullcone-nat-nftables/openwrt-firewall4-with-fullcone Signed-off-by: bitthief <bitthief@protonmail.ch> firmware: add NSS firmware package Qualcomm NSS offloading requires FW binaries in order to operate, so lets package them from the publicly distributable QUIC repository. So far only IPQ8074 is offered, but repo also hosts IPQ5018 and IPQ6018 NSS FW. Signed-off-by: Robert Marko <robimarko@gmail.com> (cherry picked from commit a17fc42) Signed-off-by: bitthief <bitthief@protonmail.ch> package: kernel: add qca-nss-crypto Add the base Qualcomm driver for EIP197 HW in modern QCA WiSoC-s. Signed-off-by: Robert Marko <robimarko@gmail.com> (cherry picked from commit 90b0290) Signed-off-by: bitthief <bitthief@protonmail.ch> package: kernel: add qca-nss-cfi Add basic version of NSS-CFI registering the EIP197 offloaded algos to the kernel. It still needs to be converted to skcipher for the most interesting algos to work, but hashes work now so lets start with those. Signed-off-by: Robert Marko <robimarko@gmail.com> (cherry picked from commit d3ad6cd) nss-cfi: convert to skcipher Still crashing though. Signed-off-by: Robert Marko <robimarko@gmail.com> (cherry picked from commit 38216af) Signed-off-by: bitthief <bitthief@protonmail.ch> package: kernel: nat46: patches for QCA NSS ECM Signed-off-by: bitthief <bitthief@protonmail.ch> package: kernel: nat46: add kernel 6.1 support Signed-off-by: bitthief <bitthief@protonmail.ch> package: network: iproute2: add NSS QDISC support Signed-off-by: bitthief <bitthief@protonmail.ch> package: kernel: qca-ssdk: fix build with PIE and SSP Signed-off-by: bitthief <bitthief@protonmail.ch> kernel: qca-ssdk: enable parallel building Now that SSDK is being built as a out of tree kmod parallel building finally works, so enable it to cut down the compile time. Signed-off-by: Robert Marko <robimarko@gmail.com> (cherry picked from commit ea66362) Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: dts: add NSS nodes to IPQ807x devices Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: dts: provide label for NSS reserved-memory Provide a label for the NSS reserved-memory node so it can be easily passed to the NSS DRV instead of having to global match by name which is fragile. Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: clk: add missing NSS clocks These clocks are needed by ECM and the other NSS drivers. Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS igs support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS qdisc ifb support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS ECM support Add patches required to support NSS ECM offload. Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: fix ECM BRK panic in nf_conntrack_ecache It seems WARN_ON_ONCE will generate a BRK instruction on arm64 since kernel 5.15, which leads to a kernel panic when loading the NSS ECM module. Reference: https: //github.com/bitthief/issues/9 Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS bridge-mgr support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS DRV qdisc support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS clients qdisc support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS clients L2TP support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS clients PPTP support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS clients iptunnel support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS clients VXLAN support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS clients L2TP offloading support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS clients iptunnel support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA NSS clients tlsmgr support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: QCA MCS support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: crypto: net: QCA NSS CFI and NSS CRYPTO support Signed-off-by: bitthief <bitthief@protonmail.ch> qualcommax: net: fix NULL pointer reference in ipv6_output Signed-off-by: bitthief <bitthief@protonmail.ch> kernel: qualcommax: nss: bump 6.1 to 6.1.62 Signed-off-by: bitthief <bitthief@protonmail.ch> hostapd: update to latest HEAD Reference: https: //github.com/openwrt/pull/13911 Signed-off-by: bitthief <bitthief@protonmail.ch> Custom feed core feeds: use forked dimfishr/nss-packages Enable WiFi Disable autobuild Add all Governors mac80211: ath11k: add HACK patch to fix failing sysupgrade Add HACK patch to fix failing sysupgrade on any device that have ath11k wifi card. Due to some BUG, some packet in the tx ring are never "complated" and moved to the tx completion ring. This cause the related idr of the packet to never be freed and num_tx_pending never decreated to 0. This cause the flush function to timeout and sysupgrade to fail as it takes too much time to terminates the process. Workaround this on the driver side instead of adding an hack to the .sh file to make it easier to drop and track in the future. The workaround is quite simple, when tx_flush is called and the function timeouts every ring is put under lock and idr freed of the stuck packets. THIS IS NOT A FIX BUT A WORKAROUND FOR AN ANNOYING PROBLEM. Signed-off-by: Christian Marangi <ansuelsmth@gmail.com> netfilter: optional tcp window check Revert to ath11k-firmware: update to WLAN.HK.2.9.0.1-01385-QCAHKSWPL_SILICONZ-1 Firewall: disable software offloading qualcommax: netdevice: Add IFF_EXT_HW_NO_OFFLOAD qualcommax: uapi: Add IPPROTO_ETHERIP qualcommax: net: Add bond_is_mlo_device qca-nss-dp: update to 12.4 qca-nss-cfi: update to 12.4 qca-nss-crypto: update to 12.4

mkj closed this as completed Jul 31, 2022

graysky2 mentioned this issue Nov 7, 2022

dropbear: disable three weak kex/mac algorithms openwrt/openwrt#11194

Closed

graysky2 mentioned this issue Nov 9, 2022

Dropbear ssh hardening guide addition jtesta/ssh-audit#159

Closed

graysky2 mentioned this issue Apr 26, 2024

dropbear: DROPBEAR_MODERN_ONLY has no effect when disabled, sha1 is still missing openwrt/openwrt#15281

Closed

1 task

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ssh-audit flagged some weak hashing algorithm which should be disabled #138

ssh-audit flagged some weak hashing algorithm which should be disabled #138

graysky2 commented Sep 8, 2021

mkj commented Sep 8, 2021

graysky2 commented Dec 1, 2021

mkj commented Jul 31, 2022

mkj commented Nov 7, 2022 via email •

edited

graysky2 commented Nov 7, 2022

mkj commented Nov 8, 2022

graysky2 commented Nov 8, 2022 •

edited

ssh-audit flagged some weak hashing algorithm which should be disabled #138

ssh-audit flagged some weak hashing algorithm which should be disabled #138

Comments

graysky2 commented Sep 8, 2021

key exchange algorithms to remove

host-key algorithms

message authentication code algorithms

mkj commented Sep 8, 2021

graysky2 commented Dec 1, 2021

mkj commented Jul 31, 2022

mkj commented Nov 7, 2022 via email • edited

graysky2 commented Nov 7, 2022

mkj commented Nov 8, 2022

graysky2 commented Nov 8, 2022 • edited

mkj commented Nov 7, 2022 via email •

edited

graysky2 commented Nov 8, 2022 •

edited